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Let |0) and |1) be two states that are promised to come from known subsets of orthogonal 
subspaces, but are otherwise unknown. Our paper probes the question of what can be 
achieved with respect to the basis {|0) , jl)}®" of n logical qubits, given only a few copies 
of the unknown states |0) and |1). A phase-invariant operator is one that is unchanged 
under the relative phase-shift |1) i— t- e*^ |1), for any 6, of all of the n qubits. We show 
that phase-invariant unitary operators can be implemented exactly with no copies and 
that phase- invariant states can be prepared exactly with at most n copies each of |0) and 
|1); we give an explicit algorithm for state preparation that is efficient for some classes 
of states (e.g. symmetric states). We conjecture that certain non-phase-invariant oper- 
ations are impossible to perform accurately without many copies. Motivated by optical 
implementations of quantum computers, we define "quantum computation in a hidden 
basis" to mean executing a quantum algorithm with respect to the phase-shifted hidden 
basis {|0) ,6*^^ |1)}, for some potentially unknown 9; we give an efficient approximation 
algorithm for this task, for which we introduce an analogue of a coherent state of light, 
which serves as a bounded quantum phase reference frame encoding 6. Our motivation 
was quantum-public-key cryptography, however the techniques are general. We apply our 
results to quantum-public-key authentication protocols, by showing that a natural class 
of digital signature schemes for classical messages is insecure. We also give a protocol 
for identification that uses many of the ideas discussed and whose security relates to our 
conjecture (but we do not know if it is secure). 

1 Introduction 

We consider a new quantum-information-theoretic problem; let us first define the problem and 
then summarize our results and their significance. 

Suppose 5 is a ci-dimensional complex vector space with computational basis B = {\i) : i = 
0,1, . . . ,d — 1}. Assume that we have the ability to do universal quantum computation (with 
respect to B) in S. Let Sq = span(_Bo) and Si = span(i?i) be two orthogonal subspaces of S 
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such that 



S = So®Si (1) 

and B = BqUBi, where the union of the orthonormal bases Bq and Bi is disjoint. Assume that 
Bq and Bi are known, so that we can perform universal quantum computation with respect to 
each of them. For all b G {0, 1}, let Af, be a set of pure state vectors, 

Ab C Sb, (2) 

whose classical description is known, such that no two elements in Ab are equal up to global 
phase. 

Definition 1 (Hidden basis). Let |0) be a state in Aq and let |1) be a state in Ai, where Aq 
and Ai are defined above. These states define a hidden (computational) basis {|0) , of n 

logical qubits. We call this a "hidden basis" since in general the choices of |0) and |1) will not 
be known. 

Remark 1 (Notation). We use boldfaced ket-labels to denote the elements of a hidden basis. 

Assuming the ability to do universal quantum computation in iS" := iS*^" (with respect to the 
computational basis B^^ of n d- dimensional qudits), we investigate the number of copies of |0) 
and |1) that are required to perform unitary operations and to prepare quantum states defined 
with respect to the hidden basis {|0) , ll)}®*^. Note that the question is well defined by virtue 
of the known classical descriptions of Aq and Ai, which disambiguate the global phases of the 
states |0) and |1). 

In Section [21 we show that any phase-invariant (see Definition [2]) unitary operator on our n 
logical qubits is exactly implementable without requiring any copies of the states |0) and |1). 
We then show (see Theorem [1]) that any phase- invariant density operator on n logical qubits is 
exactly preparable from at most n copies each of |0) and |1). We then give an explicit, efficient 
algorithm for creating symmetric states, based on Ref. pp, that easily generalizes to creating any 
phase-invariant state. For non-phase-invariant unitary operators, such as the logical Hadamard 
gate, we conjecture that a large number of copies of |0) and |1) is needed; we give a precise 
conjecture, in a simplified framework, in the Appendix. Our conjecture adds to the important 
discussion of what can and cannot be done in quantum mechanics. Knowing the limitations 
of a physical (computational) theory is intrinsically interesting, but no-go theorems can also 
be used as building blocks for other useful results. As an example of how one might use this 
conjecture for a new kind of cryptographic protocol, in Section |4] we present a cryptographic 
protocol for identification and explain how our conjecture relates to its security. 
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Note that, in practice, performing a quantum computation in the basis {|0), for 
the known qubit-states |0) and is actually equivalent to performing a computation in the 
phase-shifted basis {|0), e*''^|l)}®", where one replaces |1) with e^'^\l) in all the operations. For 
example, in optical implementations, one typically assumes that a laser outputs coherent states 
^'^^oil^ / Vwl)\w) with a random, unknown, but consistent, phase parameter = arg(7) (see, 
e.g., Ref. [2]). When using these coherent states to drive transformations in the qubits, this is 
equivalent to performing the entire computation in the basis {|0), e^'^\l)}^"'. It is essential that 
the experimentalist maintains a consistent phase reference for the duration of the computation, 
but the actual value of is unimportant. Thus, in Section [3l we consider the problem of quan- 
tum computing with respect to the phase-shifted hidden basis {|0) , e*^ for potentially 
unknown 6 G [0,27r). We show (see Theorem [2]) that it is possible to approximate universal 
quantum computation in the phase-shifted hidden basis {|0) , e*^ 11)}*^", given a small phase 
reference state encoding 6 (see Definition Hj) that is analogous to a coherent light state. It 
follows (see Corollary [6]) that, by using a small number of copies of |0) and one can prepare 
such a phase reference state for unknown and uniformly random 6 and thus carry out approxi- 
mate universal computation in the phase-shifted hidden basis {|0) , e*^ for unknown and 
uniformly random 6, in analogy to the optical implementation described above. 

Our motivation for considering computing in a hidden basis is rooted in quantum-public-key 
cryptography, a framework, introduced in Ref. [3], in which the public keys are copies of a par- 
ticular quantum state encoding a classical private keyl The goal of this type of cryptography 
is to achieve the best of both the quantum and classical worlds: the information-theoretic se- 
curity of several known quantum cryptographic protocols (e.g. quantum key distribution [H [S] 
and symmetric-key message-authentication [Hj) and the advantages (over symmetric- key cryp- 
tography) of a modern public-key infrastructure (see e.g. Ref. [7] for details). Unfortunately, 
it has been shown in Ref. [6] that it is generally impossible to sign arbitrary quantum states, 
which means that such a quantum public-key infrastructure may be difficult (if not impossi- 
ble) to attain. Nevertheless, it is important to determine to what extent quantum-public-key 
cryptography is feasible. 

Our focus in this paper is on authentication schemes, where the owner, Alice, of the private 
key attempts to prove to another party, based on the assumption that this party has an au- 
thentic copy of Alice's public key, that it is indeed Alice who constructed a certain message (in 
the case of a digital signature scheme) or participated in a particular interactioE0 (in the case 
of an identification scheme). The only known secure quantum-public-key signature scheme is 
the one-time digital signature scheme for classical messages in Ref. [3]; the scheme is one-time 

■^Note that the number of copies in pubhc circulation must be Umitcd, so that an adversary at the very least 
cannot take all the copies, measure them, and get a sufficiently good estimate of the private key. 
^Such an interaction is assumed not to be susceptible to a man- in-the- middle attack [7|. 
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in that it can only be used to sign one message securely before the public keys need to be 
refreshed. A natural next step is thus to find a "reusable" quantum digital signature scheme 
for classical messages or prove none exists. In the context of authentication schemes, we define 
reusable to mean that Alice can use the same private key to sign many different messages or 
prove her identity many times, but a fresh copy of the public key is needed for each verification 
instance. In Section HJ we describe a rather natural and general cryptographic framework, based 
on hidden bases, that may be suitable for reusable quantum-public-key authentication schemes. 
We show (see Corollary |9]) how our abovementioned state preparation result is a cryptanalytic 
tool, rendering insecure a class of quantum digital signature schemes within the framework, 
thus effectively extending the original no-go theorem for quantum digital signatures in Ref. [6]. 
Finally, in an attempt to stimulate further research in reusable quantum-public-key authenti- 
cation schemes, we give a protocol for identification that uses many of the ideas discussed (but 
we do not know if the protocol is secure). 

2 Phase-invariant operators 

Let denote the span of {|0) , thus, "H" := "H*^" denotes the span of the hidden basis for 
n logical qubits: 

?{" = span({|0),|l)r"). (3) 
For any bit-string y = yiy2 ■ ■ ■ ?/ri £ {0, 1}", let 

|y) := |yi)|y2)---|yn). (4) 

For any 9 G [0,27r], let U{9) be the phase-shift by 9 (with respect to the basis {|y) : y G 
{0, 1}"} ) operator on "H" such that 

U{9) : |y) ^ e^^(^)^ |y) , (5) 

where Hiy) := yj is the Hamming weight of y. 

Definition 2 (Phase invariant). Let T be any operator on H". Then T is phase(-shift) invariant 
(with respect to {\y) : y E {0, 1}"} ) if and only if 

U{9)TU{9y = T (6) 

for all 9 e[0,27i]. 
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Define the weight of |y) to be H{y), and define the weight-w subspace of "H" as 



K 



n 



span({|x) G : H{x) = w}). 



(7) 



Fact 2. A linear operator T on T-L^ is phase invariant if and only if it is block diagonal with 
respect to the decomposition = ©J^^q'H",. 

Proof. Writing T = J2y z'^v,z\'y)('^\ ^(^) — (^1' ^^^^ show that 



If T is block diagonal, then the equahty in Eq. (Q holds for all 6 when H{y) ^ H{z) because 
Ty^z = 0; this equality always holds for all 6 when H{y) = H{z). To prove the other direction, 
note that, if H{y) ^ H{z) and Eq. ^ holds for all ^, then Ty^^ must be zero (otherwise one 
could divide both sides by Ty ^ and get a contradiction for some value of 9). 

2.1 Exact implementation/preparation of phase- invariant unitary /density 
operators 

The following lemma implies that, despite our limited knowledge about |0) and we can 
exactly implement any phase-invariant unitary operator V on H", given its matrix (explicitly) 
with respect to the hidden basis. The lemma guarantees that we can find a matrix represen- 
tation of V with respect to the computational basis B®'"" of S^, and then use this to effect V 
on "H"^; this implementation of V is algorithmically exact (though, in practice, error correction 
would likely need to be used; we assume perfect quantum channels throughout this paper). 

Lemma 3. Given the matrix representation of a phase-invariant unitary operator V on 
with respect to the hidden basis {|0), one can compute the matrix representation of an 

operator V on S"^ with respect to the computational basis B®^ , such that V \y^n = V . 

Proof. Since V is phase invariant. Fact [2] implies it is block diagonal with respect to (B^^qH^, 
and can thus be written V = (BZ=oVw, for unitary on "H^. Let {\w, z) : z = 1,2, . . . , (J^)} 
be the natural ordered basis for H^, that is, \w,z) G {|0), ll)}®"- for all {w,z). The operator 
Vw is specified by equations of the form 





and thus Eq. ([6]) may be rewritten 



Tj, ^ = e^^(^(^)-^("))Ty,„ for all y,ze {0, l}'^. 



(9) 




(10) 



k=l 
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which we can read off the given matrix for V. If, for each 2; G {1, 2, ... , (^)}, we fix vr^ to be 
any permutation on n object^ such that 



(0"^"'1"')> = k,-^) 



we can rewrite Eq. (fTU]) as 



\ / f\n—w t w\\\ , . \ „w \^w/f\n—wii 
(0 1 ))) ^ Z^Cfc^^ [TTfc (0 1 



:i2) 



k=l 



Let denote the "weight-w" subspace of S*": 



SZ := span{|<(c)) G ^" : ^ G {1, 2, . . . , }, c G (^o)""'" x {B,r}. 



n 



w 



(13) 



It suffices to show how to compute the matrix representation with respect to S®" of a unitary 
operator on such that = Vw, for each thus, fix w. 

Assuming do := dimiSo and di := dimiSi, we can substitute into Eq. (fT2|) the two equations 



do di 

|0) :=^a,|a,), |1) := ^ 



(14) 



1=1 



where Bq = {\ai)}i and Bi = {\bj)}j, and get, after changing the order of summations. 



/(:.) 



\ 



k=l 



Consider the mapping defined by the i^d^'^d^ equations of the form 



(15) 



(16) 



(17) 



k=l 



^Here, the n objects will be the n components of a vector (that functions as the label for a ket). A binary 
string is considered a vector of zeros and ones. 
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for all |ajj) G (for all / = 1, 2, . . . , n — w), for all \bj^,) G {\bj)}j (for all I' = 1,2, . . . ,w), 

and for all 2; = 1, 2, . . . (^). We claim that this mapping well-defines a suitable V^. Indeed, it 
is easy to see that the d^'^di subspaces (indexed by (zi, . . . , in-w,ji, ■ ■ ■ ,jw)) 

span{|7r^(aii, . . .,ai„_^,bj^, b,J):ze {1,2,..., (18) 



w 



are mutually orthogonal, and that the mapping is unitary on each of these subspaces by unitarity 
of Vw Since dimS'^ = (J^)dQ~'^df, the mapping well-defines a unitary operator on 5*^. The 
matrix entries for can be read off of Eqs (ITTl) . 

Lemma [3] allows us to prove the following theorem, which implies that, despite our limited 
knowledge of |0) and we can prepare a copy of any phase-invariant density operator on "H", 
given its matrix with respect to the hidden basis. 

Theorem 1 (Exact preparation of phase-invariant states). Given the matrix representation of 
a phase-invariant density operator p on "H" with respect to the hidden basis {|0), 11)}*^", one 
can prepare a copy of p using at most n copies each of |0) and 

Proof. Lemma [3] implies that, in order to prepare any phase-invariant pure state |0) G T-C^, it 
suffices to have [n — w) copies of |0) and w copies of To see this, note that there exists a 
unitary operator Uu, on "H^ mapping 

|0)®("-"')|1)®"' h-> 10), (19) 

and that Uw is (trivially) phase invariant. Since p is just a probabilistic distribution of phase- 
invariant pure states (because it is block diagonal), it follows that p is preparable using at most 
n copies each of |0) and |1) (assuming one can sample from this probability distribution). 

2.2 Algorithm for exact state preparation of phase- invariant states 

Theorem [1] does not address the question of efficiency. Indeed, in some cases, the required 
unitary operation (denoted in the proof) is efficient, as demonstrated by the following 
example. 

Let 15*^) be the normalized symmetric sum of all (^) states in {|0) , that have weight 



w: 



\Sl):=^ J2 1^)- (20) 



As we now explain, the algorithm for state generation in Ref. [T] can be adapted to transform 

|0)^("-"')|1)®"' ^ 1^;^). (21) 
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Fix n and assume Q < w < n. Hypothetically, suppose we had a copy of jS*^) and we measured 
the registers one-by-one from the left in the basis {|0) , Denote the binary outcome of 

measuring a register by (if the register was in state |0)) or 1 (if the register was in state 
|1)). Let Xj, for i = 1,2, ... ,n, denote the random variable representing the outcome of 
measuring register i (registers are enumerated from left to right). For j = 2,3, . . . ,n and for 
any x G {0, 1}-^"^ and Xj G {0, 1}, define the probabilities 

:= P(Xi---X,„i = x) (22) 
:= P{Xj = Xj\Xi---X,_, = x), (23) 

where adjacent bit- values denote string-concatenation and we note that the definition of px 
holds also for j = n + 1. Then we have pi = w/n = 1 — Pq and 

Pxj\x = PxxJPx (24) 

pij, = {w-H{x))/{l-j + l) (25) 
= l-Po|x- (26) 

Define the shorthand notation, for nonnegative integers d and c> d. 

We can prepare \S^) by starting with \w^'^^), and then applying a sequence Ui, U2, . . . ,Un of 
phase invariant unitary operators. The first operator will be 

Ui: V^|0)|tf;^"-i>) + v/pr|l)|(u;-l)^"-^>). (28) 

For each j = 2,3, . . . ,n and for any x = X1X2 ■ ■ ■ G {0, 1}-'^^, we define the operators, for 
any c/ G {1,2, . . . ,r}, 

f/, : |x)|rf{'-(^--i)>) ^ |x) (VP^|0)M^"-^->) + Vpr^|l)|(rf- l)^"-^'>)) . (29) 

Each Uj performs an operation similar to a root-SWAP operatoil§, controlled on registers 1 
through (j — 1), swapping register j with the next closest register to the right whose state is 
orthogonal to the subspace containing |0). Our Uj also has built into it a final phase-clean- 
up operation, controlled on registers 1 through j, which removes the imaginary factor of i 
arising from the root-SWAP operation. We can now show that \S^) = Un ■ ■ ■ U2Ui\w^"'^) . A 

^For < a < 1, we can define a root-SWAP -like operator, which maps |0)|0) |0)|0), |0)|1) q;|0)|1) + 
iVl-a2|l)|0), |1)|0) ^ iVl -a2|0)|l)+a|l)|0), and |1)|1) ^ |1)|1). When a = 1/^2, tliis is the root-SWAP 
operator. 
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straightforward induction (similar to that in Ref. [T]) shows that, after Uj is apphed, the state 
of the n registers is 

J2 VP~.mw-H{x))^-^^) (30) 
xe{o,ip 

so that, after [/„ is apphed, the state is ^^-gjo i}n v^l-^) ~ \^w)- 

The above algorithm for creating jS"^) can be generalized to create any |?7) G "H^ (and 
hence any phase-invariant density operator): it is clear that it can be generalized to create any 
state in "HJ^ that has real coefficients; we refer to Ref. [1] for how to create the correct phases 
of any complex coefficients of \t]) efficiently. The general algorithm is efficient as long as the 
conditional probabilities Pxj\x are efficiently computable, as in the case of the symmetric states 

Example 1. Consider the state p = J^^ \ip{6)){ip{6)\d6, where 




We see that p is phase invariant and equal to ^^=o {w)'^~'^\^w) i'^wl- Theorem [T] implies we can 
prepare p using at most n copies each of |0) and and the above algorithm implies we can 
do so efficiently. 



2.3 Beyond phase invar iance? 



One may of course ask about unitary operators and quantum states that are not phase invariant. 
Regarding the former, recall the finite universal set {H, S, T, c-Z} of gates [8], where 



H 



1 

7! 



s 



1 

I 



T 



e 



C-Z 



10 
10 
10 
-1 



(32) 



and the matrices are defined with respect to {|0) , |1)} (in the case of the one-qubit gates) and 
{|0) , (in the case of the c-Z gate). Since S, T, and c-Z are phase invariant, we see that 

it is the presumed inability to implement the Hadamard gate H exactly that prevents us from 
performing exact universal quantum computation in the hidden basis {|0) , Indeed, we 

conjecture that, for worst-case Aq and Ai (recall their definitions in the Introduction), a large 
number of copies of |0) G Aq and |1) G are necessary to implement one Hadamard gate or 
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to prepare one copy of (|0) + |l))/-\/2, if the implementation/preparation is well approximated 
for every |0) G Aq and every |1) G Ai, see Remark [7] and the Appendix for a precise conjecture 
in a simplified framework. 

3 Approximate universal computation in a hidden basis 

Recall our discussion in the Introduction, where we noted that quantum computing with respect 
to the hidden basis {|0) , is equivalent to computing with respect to the phase-shifted 

hidden basis {|0) , e*^ as long as 6 is consistent throughout the entire computation. 

Definition 3 (Quantum computation in a hidden basis). Let po be a density operator on "H" 
and let W he a. unitary operator on "H". To carry out the quantum computation (of (po, W) ) 
in the (phase- shifted) hidden basis {|0) , e*^ ll)}®*^ means to effect the operation 

Po ^ p', := uie)wu{eypoU{e)w^uie)\ (33) 

given a copy of po and a classical description of W. We say the computation is carried out 
approximately, with fidelity y/l — e^, if we effect an operation po i— )■ Po such that pg has fidelity 
Vl — with Pq. 

Remark 4 (Compatibility of phase references). In Definition\^ note that pg will he equivalent to 
WpoW^ up to conjugation by U{6) if po is phase invariant. More generally, if po = U{6)aQU{6y 
for some 9 -independent ctq on H", then p^ will be equivalent to WaoW"^ up to conjugation by 
U{6). The latter condition (while including all phase-invariant po, in which case po = ctq) 
includes any non-phase-invariant po that is (somehow) already defined with respect to the phase- 
angle e, e.g., Po = ((|0) + e'^ |1))((0| + e"*^ (l|)/2)®" (corresponding to = ((|0) + |1))((0| + 

(i|)/2)®";. 

Note that we have not unnecessarily complicated Definition |3] by including a notion of measure- 
ment: any measurement can be expressed as an extra unitary operation (on a possibly larger 
space) plus a projective measurement in the hidden computational basis {|0) , ll)}*®"; the extra 
unitary operation may be absorbed into W and the projective measurement easily simulated 
by measuring with respect to the computational basis of S"'. 

We now show how we can achieve approximate universal quantum computation in the 
hidden basis {|0) , e*^ ll)}®*^ efficiently, given a phase reference state encoding 6 that is used in 
an analogous manner to how coherent light states are used to drive qubit transformations in 
an optical implementation of a quantum computer. 

Recalling the discussion in Section [273| we note that the set Cg := {Hg, S, T, c-Z} is universal 
for quantum computation with respect to the phase-shifted hidden basis {|0) , e*^ where 
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the phase-shifted Hadamard gate is defined as 

1 

7! 



Ha 



1 e 



id 



(34) 



where the matrix is with respect to the hidden basis {|0) , |1)}. Since the other gates in Cg are 
phase invariant, it thus suffices that we show how to implement (approximately) the gate Hg 
many times, each time on an arbitrary input, and each time with respect to the same value of 
unknown and uniformly random 6 G [0, 27r). We can actually implement, for any a G [0, 1], the 
generalized phase-shifted Hadamard gate 



Hg{a): |0) ^ a|0) + Vl -aV'V) 
e*^|l) ^ v^r^lO) -ae-'^|l). 



(35) 
(36) 



Just as before, we will make use of phase-invariant root-sWAP-like operations, which introduce 
imaginary i factors; thus, it will be more convenient to directly implement the gate. 



Gg{a) : \0) a 

|i) ^ Vi^ 



0) + VT^^^e'^ll) 
''|0) + a|l). 



(37) 
(38) 



and then we have, for example, ZSGe{a)SZ = Hg{a), where Z is the (phase-invariant) Pauli-Z 
gate 



1 
-1 



(39) 



and 5* is defined in Eq. (1321) . Also, for clarity of exposition, we will assume a = I/V2 (but we 
will indicate in footnotes how the procedure is modified for general a). Let 



Go 



God 



(40) 



Consider how one might effect the gate Gg, given some phase reference state that encodes 
6 and presumably depends on |0) and |1). What form could such a state take? Inspired by a 
coherent light state, Y2'^=oi'y^ / ^'<^^-)\'^) ^ make the following definition. 

Definition 4 (Phase reference state). For any 6 G [0,27r) and positive integer t, a phase 
reference state (having size t and encoding 9) is 



(41) 



where \w'^^^) is defined in Eq. ^F{\ . 
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Each occurrence of |1) (respectively, |0)) in the state \w^*^) is analogous to one photon (respec- 
tively, one vacuum). Thus, it will be convenient to refer to the state \w^'^^) as a 1-number state, 
in analogy with the photon-number state \w)^ 

Remark 5 (Freedom in definition of phase reference state). Note that since we are not restricted 
to the standard interaction Hamiltonians present in Nature (because we are just mimicking such 
interactions using a universal quantum computer) , our version of the coherent states, as well 
as how they interact with the other systems, looks slightly different; we need only mimic some 
of the main properties of coherent light states, for example, that the argument (phase angle) of 
successive coefficients scales linearly with the photon number. In general, to achieve an efficient 
approximation, there is some freedom in the choice of the moduli of the coefficients of our phase 
reference states. For clarity of presentation, we have chosen to use the simplest coefficients, 
with constant modulus. However, one could specify a cost function and optimize the moduli 
accordingly, with modest gain in the quality of the approximation]^ 

Define the phase-invariant controUed-root-SWAP gate U, which, for fixed t, acts on (t + 1) 
equally-sized registers, and in particular operates as follows: 

U:\0)\a^'^) ^ |0)|a{*>) +z|l)|(a- !){*>) (42) 
^ ,|o)|(6+l)W) + |l)|6«), (43) 

for all a = 1, 2, . . . , t and all 6 = 0, 1, . . . , (t - 1)@ Let 10) be an arbitrary one-logical-qubit 
pure state to which we want to apply Gg. Applying U to |0)|\E'g), the resulting state contains 
the term 

^In the right-hand side of Eq. (|4T|) . we could have had the summation start at w = 0; we choose w = 1 to 
make the analysis that follows cleaner, while not significantly affecting the quality of the approximation. 

^States that are similar to our coherent-state analogues j'l'g) have independently been used in Ref. |9j. 
In their application, the phase parameter is not an issue. Rather, they use this property of coherent states 
behaving more and more "classically" , i.e. with less and less disturbance to the coherent state, as the size t of 
the coherent state gets larger. In their case, a larger coherent state corresponds to a larger amount of shared 
entanglement, and they used this to show that more entanglement always improves the success probability of 
their protocol. Generally, all such states are forms of "embezzling" states [10} [TT|. 

^Here is a complete description of U: If the registers are enumerated 0,1, ... ,t starting from the left, then 
U applies the root-SWAP to registers and j (for j > 1) exactly when either registers through {j — 1) are in 
the state subspace containing |0) and registers j, . . . ,t are in the subspace containing |1) or registers 1 through 
j are in the subspace containing |0) and registers and j + I, . . . ,t are in the subspace containing |1) (and, 
otherwise, U acts as the identity operator). In the case of general a, use the root-SWAP-like operator (defined 
in a previous footnote) instead of the root-SWAP. 
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The other ("junk") terms are of 1-number 0, 1, and t. Note that terms of different 1-number 
are orthogonal. Recall that it suffices to compute the minimum gate fidelity over all pure inputs 
|(/)), because of the joint concavity of the fidelity |8]. Thus, the Gg gate was effectively applied 
with minimum fidelity -\/(t — 2)/t, and the rightmost (t + 1) registers have this same fidelity 
with the state |\E'g(l)), where we define 



t-i' 



|*^(z')) := (l/Vt^) e*'"k^*^), (45) 



w=l+i' 



for i' > 0. To implement a second Gg gate, we use these same rightmost t registers (whose 
state is close to |\Efg(l))). And so on. In general, we find that f/|0)|\E'g(i')) equals 



'-^^^{Gemmi^' + l)) (46) 

plus orthogonal "junk", where |0) is, again, an arbitrary pure state of a logical qubit. The 
gate fidelity of the Ith. approximation of Gg is thus at least ^J{t — 2l)/t (for sufficiently large 
t). Thus, we have the following theorem: 

Theorem 2 (Approximate universal quantum computation in a hidden basis). Let po be a 
density operator on l-L^ and suppose W is a unitary operator on l-L^ that can he decomposed 
into phase-invariant gates and at most I Hadamard gates. Given e > and a copy of the 
reference state I^E'^) (defined above), one can carry out the quantum computation in the hidden 
basis {|0) , e*^ of (po, W) approximately, with fidelity a/1 — e^, ift> \'2l/e^'\ . 

We say that the approximation algorithm in Theorem [2] is efficient because the size of the phase 
reference state need only scale linearly with the number of Hadamard gates implemented, for 
constant e. In Section 14.2.11 we show how Theorem [2] can be applied by an adversary to mount 
a weak attack on the cryptographic protocol we present in Section 14. 2[ 

We end this section with the following corollary, which summarizes how one can use copies 
of |0) and |1) to create a phase reference state {"^g), for unknown and uniformly random 6, in 
order to carry out approximate universal quantum computation in a hidden basis. 

Corollary 6 (Computation in a hidden basis for unknown and random 6). Let po be a density 
operator on "H" and suppose W is a unitary operator on "H" that can be decomposed into phase- 
invariant gates and at most I Hadamard gates. Given e > and t copies each of |0) and 
one can carry out the quantum computation in the hidden basis {|0) , e*^ ll)}*^" of {po, W) for 
unknown and uniformly random 6 G [0,27r), i.e., effect the operation 

Po ^ Po := 7^ / u{e)wu{eypoU{e)w^u{eyde, (47) 
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approximately, with fidelity a/1 — e^, if t > [2Z/e^]. 
Proof. Noting that 

-/ de\¥,){¥,\ = -J2[w^'^){^^% (48) 

we can thus prepare the state |\E'g) for a uniformly random value of 6 by preparing a uniformly 
random 1-number state, which is easy to do with t copies each of |0) and The statement 
then follows from Theorem [21 

We say that the approximation algorithm in Corollary O is efficient because the number of 
copies of |0) and |1) need only scale linearly with the number of Hadamard gates implemented, 
for constant e. Note that if po is phase invariant and we are interested in measuring (after 
executing W) a phase-invariant Hermitian observable M, then we can apply Corollary [6] to 
carry out approximate quantum computation in a hidden basis and effectively measure the 
observable M on the state H^poW^^O We hope that Corollary [H] finds application (perhaps 
in conjunction with Theorem [2]) in interactive protocols (e.g. interactive proofs), where the 
parties variously create/send/receive and perform quantum operations on input states (po), 
output states (pq), and phase reference states. 



4 Applications to public-key authentication 

Our motivation is information-theoretically-secure quantum-public-key cryptography, a frame- 
work for which was first proposed by Gottesman and Chuang in Ref . [3] ; we describe an example 
of that framework now. 

Let As C C'^ be a set of superpolynomially (in log(M)) many quantum states such that, 
for every distinct \ip) and 10) in As, 

I im I < S (49) 

for some positive constant 6 < 1. The states in As are sometimes called quantum fingerprints, 
and explicit constructions for such As, with l^l^l G 2*^*^*'^^ are known Jl2\. A (succinct) classical 
description of As is published. 

^°We have specified that the observable M be phase invariant for two reasons: (1) so that the measurement 
statistics from measuring M on are the same as if one measured M on WpoW''; and (2) so that we can 
implement the measurement with no approximation error, as follows. Each block of any phase-invariant 
observable Al = (B^^qM^ can be diagonalized by a phase- invariant unitary Vu,. Thus, we can implement M by 
first implementing (S^^qV^ and then measuring in the hidden computational basis {|0) , 
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As part of the key generation procedure, Alice randomly chooses a uniformly from 
and keeps this choice secret, but she authentically distributes (e.g., by trusted courier) a limited 
number of copies of IV') among several members of the public (including Bob). The classical 
description of which can be encoded by a bit-string of length 9(log(|y45|)), serves as part 
of the private key, while several authentic copies of the state \ip) serve as part of the public 
key. Assuming each copy of is an 0(log(M))-qubit state, the maximum number of bits of 
information one can extract from T copies of is 0(Tlog(M)), by the Holevo bound [131 [H]- 
Thus, as long as T <^ \og{\As\) /\og{M) , the part of the private key corresponding to is 
protected even if T copies oi\ilj) exist. 

The full private/public key would typically consist of several independent instances of this 
setup, that is, Alice independently chooses several states G and distributes the corre- 
sponding copies. This naturally allows for protocols that are the composition of independent 
instances of an atomic protocol, or kernel, that succeeds with only a certain probability. Repeat- 
ing the kernel sufficiently many times, with independent IV')- values each time, can amplify the 
success probability to an acceptable level. In the case of authentication schemes, "to succeed" 
means "to correctly 'accept' or 'reject' a purported message or entity". 

A more general framework can be obtained by allowing the public key to consist of additional 
systems that may depend on the private key; we will use this more general framework in Section 

m 

We are primarily interested in public-key authentication protocols — either for classical 
messages, as in digital signature schemes, or for entities, as in identification schemes — a 
general approach to which is the following. Suppose that As also satisfies the condition 

(OlV^) = (50) 

for all \ip) G As and some known |0) G C^^. Alice can easily create states like |0) -|- (we will 
sometimes omit normalization factors) and, more generally, she can perform any computation 
in the basis {|0) , 

Remark 7 (No-Squashing Conjecture). In general, it is not known how to perform such com- 
putations efficiently, and we conjecture that it takes superpolynomially (in log(M) ) many copies 
of a uniformly random \ip) G As to prepare even one copy of |0) + \ip) , if the procedure is to 
work for all G As. We call this the No-Squashing Conjecture. We call the task of creating 
|0) -|- for every G As, given copies of \ip) , squashing. See the Appendix for more details 
about squashing and the No-Squashing Conjecture. 

The hope is to use this framework, for example, for Alice to convince Bob that she has prepared 
some state (like a signature) that no one without full knowledge of could have done with 
only the limited number of copies of the state \ip) available. Moreover, we are interested in 
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reusable schemes, by which we mean that the same private key (and corresponding pubhc keys) 
can be used to identify Ahce many times or sign many messages from Ahce (recall that the 
digital signature scheme in Ref. [3] is not reusable: it can only be used to sign one message). 
This framework may be suitable for reusable schemes, because, as suggested by our example 
protocol in Section \A.2\ it seems to allow protocols where Alice does not divulge (to a verifier or 
adversary) a significant amount of extra information about the private key (beyond that which 
is already available from all the copies of the public key), yet retains some advantage over the 
adversary. 

Remark 8 (Notation). In our cryptographic setting, the unknown state IV') is now playing the 
role of Thus, for this section of the paper, we redefine all the objects (e.g., Ity'f*^), I^E^^), 
15*^), H) that depend on |0) and |1), by replacing each occurrence of |0) with |0) and each 
occurrence of |1) with \ip). 

4.1 Insecurity of a class of digital signature schemes for classical 
messages 

Theorem [1] can be interpreted as a restriction on any digital signature scheme for classical 
messages in the above framework. Before we state the result, we give a more detailed description 
of such a signature scheme. 

Suppose that, in the key generation procedure described in the previous section, Alice chose 
K independent values from As, k = 1,2, . . . , K. Let x denote the message to be signed. 
We assume that the full signature state for message a; is a J-fold tensor product of states 

J 

(51) 

where k{j, x) G {1, 2, ... , K} is a publicly known function depending on the particular scheme, 
and each crj{\ipk{j,x))) is a density operator on span({|0) , \4'k{j,x))}®"') such that the coefficients 
of crj{\ilJk{j,x))) with respect to the basis {|0) , \'4'k{j,x))}'^'^ are publicly knownl"1 Note that, in 
general, aj{\ip)) need not equal aj'{\ip)) when j 7^ j'. 

We assume further that the full verification procedure breaks up into J independent proce- 
dures, each denoted Pj, one for each o'j{\ipk{j,x)))- Thus, if no adversary interferes. Bob would 
apply the procedure Pj to o'j{\'ipk{j,x))) (using his copy of the public key and the message) and 

"'^^These coefficients, which may also depend on the message x, are known in that they do not depend on the 
private key (classical description of \'4'k{j,x)))- This allows the adversary to compute the conditional probabilities 
required for our state preparation algorithm of Section [521 
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obtain some measurement statistics. After doing this for all j = 1, 2, . . . , J, he would process 
all the statistics and determine whether to "accept" or "reject" the message-signature pair. 

Corollary 9 (Insecurity of a class of digital signature schemes). Suppose there is a signature 
scheme with signature state and verification procedure as described above. Suppose further 
that an adversary can obtain n copies of \ipk(j,x)) , for all j = 1, 2, . . . , J. Then the scheme is 
not information-theoretically secure if, for all j = 1,2, . . . , J, the procedure Pj applied to the 
state o-jie'^^\4'k{j,x))) produces the same statistics as if it were applied to crji\'4'k{j,x))) , for any 
^G[0,27r]. 

Proof. From Theorem [H it follows that the adversary can create the uniform mixture over 
9 G [0, 27i) of aj{e''^\ipk[j,x))), because this mixture is phase invariant. The procedure Pj applied 
to this mixture will also produce the same statistics as if it were applied to crj{\'ipk{j,x))), thus 
the scheme is not information-theoretically secure. 

We note that, for example. Corollary [9] applies to any scheme such that the only public 
key states available for use in verification of crj{\'ipk{j,x))) are copies of \i'k{j,x)) (and no other 
state dependent on the private key) and the verification procedure uses the copies of \4'k{j,x)) 
only as input to SWAP-test^ (or similar tests for symmetry under permutations [121 E])- 
Generally, the corollary implies that the verification procedure for any secure signature scheme 
in this framework, where the adversary can obtain sufficiently many copies of \ipk{j,x)), will 
have to exploit the global phase of the state vector \'il>k(j,x)) ^ determined by its classical 
description. 

4.2 Example of a cryptographic protocol in this framework 

We now give an example of a cryptographic protocol that incorporates many of the ideas we have 
presented. The protocol is actually a translation of the honest-verifier identification scheme of 
Ref. [in] into our hidden basis setting. The following is an intuitive description (adapted from 
Section 4.7.5.1 in Goldreich's book [TH]) of how a secure identification scheme works. 

Suppose Alice generates a private key and authentically distributes copies of the corre- 
sponding public key to any potential users of the scheme, including Bob. If Alice wants to 
identify herself to Bob (i.e. prove that it is she with whom he is communicating), she invokes 

-'^^Rccall that the SWAP-test [12\\3\ of two registers (labelled 2 and 3) in the states |^)2 and |0)3 is a measure- 
ment (with respect to the computational basis {|0)i, |l)i}) of the control register (labelled 1) of the state 

{Hi ® /2 ® h)ic ~ SWAP2,3)(|0)i + |l)i)|O2|0)3/^, (52) 

where Hi is the Hadamard gate (applied to register 1) and c — SWAP2,3 is the controlled- SWAP gate. The 
probability that the state is |0)-^ immediately after the measurement — which corresponds to a -pass — is 
(1 -I- I (CI'/') P)/2. When the registers 2 and 3 are in the mixed states p and /?', this probability is (1 + tr(/9p'))/2. 
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the identification protocol by first telling Bob that she is Alice, so that Bob knows he should 
use the public key corresponding to Alice (assuming Bob possesses public keys from many dif- 
ferent people). The ensuing protocol, whatever it is, has the property that the prover Alice 
can convince the verifier Bob (except perhaps with negligible probability) that she is indeed 
Alice, but an adversary Eve cannot fool Bob (except with negligible probability) into thinking 
that she is Alice, even after having listened in on the protocol between Alice and Bob or having 
participated as a (devious) verifier in the protocol with Alice several times. An honest-verifier 
identification protocol is only intended to be secure under the extra assumption that, whenever 
Eve engages the prover Alice in the protocol. Eve follows the verification protocol as if she were 
honest. Note that no identification protocol is secure against a person- in-the- middle attack, 
where Eve concurrently acts as a verifier with Alice and as a prover with Bob. 

As part of the key generation procedure for our protocol, we assume Alice has chosen a 
random & As and has distributed at most r copies of the state 

|^)(|0) + |^)). (53) 

This state is the public key for one iteration of the kernel of the protocol. The parameter r is 
the reusability parameter, dictating the maximum number of secure uses of the scheme for a 
particular public key. 

The kernel of our interactive protocol is the following three steps, which form a typical 
"challenge-response" interactive proof. If the kernel is repeated s times in total, then one copy 
of the (full) public key (of which there are still r copies in total) would be ®i=i|^j)(|0) + \ipi)), 
where the are each independently and uniformly randomly picked from As by Alice. The 
parameter s is the security parameter, which is chosen after r is fixed. 

1. Bob uses \ip) to create the symmetric state \Sf) = |0) {ip) + \ip) |0) (as shown in Section 
12.21) . and sends the leftmost register of this state to Alice. 

2. On the received register, Alice performs the logical Hadamard gate H and then measures 
with respect to an orthogonal basis {|0), ■ ■ ■}■ If the state of the register immediately 
after the measurement is |0), then Alice sends "0" to Bob; otherwise, Alice sends "1". 

3. If Bob receives "1", then he applies the Z gate to the register that he kept (that contained 
half of the symmetric state he made in Step 1). Finally, Bob swAP-tests this register with 
the register containing the authentic copy of |0) + I?/;) (the swAP-test is defined in Section 

SH). 

After the kernel is repeated s times. Bob "accepts" if all the swAP-tests passed; otherwise. Bob 
"rejects". As a final specification for the protocol, we also stipulate that Alice not engage in 
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the protocol more than r times (when there are r copies of the pubhc key in circulation) for a 
particular value of the private key. 

Before discussing the potential security of this scheme, we note that the honest protocol is 
correct because 

l^i) = (H-' |0))(|0) + 1^)) - mZ-\\0) + m (54) 

that is, Bob's SWAP-test always passes when the prover is honest (assuming perfect quantum 
channels) . 



4.2.1 Discussion of potential security 

Within the hidden basis cryptographic framework, we refer to as black-box attacks those attacks 
where Eve does not use any information about the structure of As to help her cheat. In the 
following discussion, we restrict our attention to the honest-verifier setting. The following 
definition of "security" suffices for our discussion!^ 

Definition 5 (Security). An honest- verifier identification protocol (for honest prover Alice 
and honest verifier Bob) is secure with error e if the probability that Bob "accepts" when any 
adversary Eve participates in the protocol as a prover is less than e (assuming that, whenever 
Eve engages Alice in the protocol. Eve follows the verification protocol honestly). 

One obvious black-box attack that Eve could perform is as follows. Eve can collect r' : = 
(r — 1) copies of |0) -|- which are in the state 



|0) + 



V2 




(55) 



Now, assume Eve performs the inverse of the phase-invariant operation given in Section \2.2\ 
which maps jS*^) i— ?■ Iw^"^ ^) with no error. The state thus becomes 

(56) 




-'^•^As in Ref. [16], our definition of "security" docs not include the completeness of the protocol, which 
stipulates that honest Bob should always accept when the prover is honest (this is easily verified for our 
protocol). Our definition does not take into account that there may be many different honest provers. As well, 
we consider neither the parallel nor serial composability of the identification protocol. See Ref. [16] for more 
details in the classical case. 
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Note that this state is similar to but for the coefficients, which now have non-constant 

moduh (see Remark [S]). Thus, Eve can use this state as a phase reference in order to mimic 
Ahce's Hadamard gate. 

In the black-box (honest- verifier) setting, given any e > and r, there indeed exists a 
value of s (dependent on r and e) such that the protocol is secure with error e (assuming 
perfect quantum channels). For, in this case, the protocol reduces to the honest- verifier-secure 
protocol of Ref . [T3] . The security proof follows from the work of Bartlett et al. [2] on bounded 
quantum reference frames and is a formalization of the following intuition. Note that Alice 
always causes Bob's SWAP-test to pass. However, Eve's information about the correct reference 
frame is limited to her r samples of it (because Eve cannot extract any further information from 
Alice). Since only an infinite number of samples should suffice for Eve to be able to perform 
a measurement in the logical Hadamard basis perfectly (as Alice can), there is always some 
nonzero probability that Eve causes Bob's swAP-test to fail. With sufficiently large s, Bob 
will find such a failure (except with negligible probability). It turns out that s G f2(r log(r/e)) 
suffices [T5] . 

A security proof would of course need to consider all attacks — not just black-box ones. Note 
that if squashing required only a small number of copies of {tp) (see Remark [7]), then Eve could 
prepare more copies of |0) -|- to use as a phase reference for her approximate implementation 
of H. This is one way that the security of our scheme depends on the assumed difficulty of 
squashing (e.g., the No-Squashing Conjecture); however, even if Eve could somehow transform 
her copies of into one or more copies of |0) + the parameter s could be modestly 
increased to account for Eve's extra samples of the reference frame, assuming there exists an s 
such that the scheme is secure for r' samples of |0) -|- The security of the scheme depends 
more crucially on the weaker conjecture that it is impossible to perform a measurement with 
respect to the logical Hadamard basis {|0) ± (given the limited number of copies of 
much more efficiently than with our black-box reference-frame approach (this conjecture is 
weaker because if Eve could carry out the measurement, then she could squash). 

5 Closing Remarks 

By exploiting phase invariance and mimicking properties of coherent states of light, we have 
shown how to perform various computational tasks, defined with respect to a hidden compu- 
tational basis {|0) , efficiently in the required number of copies of |0) and |1). We have 
shown that such tasks, which were previously not known to be possible, have cryptological 
application. 

We have identified several open problems, including the squashing problem and the harder 
problem of performing measurements with respect to the hidden Hadamard basis {|0) ± |1)}. 
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Another open problem is to investigate to what extent state preparation and universal computa- 
tion are possible when the assumption that |0) and |1) come from known orthogonal subspaces 
is dropped, that is, when the only promise is that (0|1) = with |0) , |1) G A, where A contains 
no two states that are equal up to global phase. 
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Appendix: Squashing and the No-Squashing Conjecture 

The squashing problem can be meaningfully (and nontrivially) defined for a broad class of sets 
of states — not just sets of type As. Let A be a set of pure state vectors in such that 
no two distinct elements in A are equal up to global phase. (Formally, let {A{M)}m=i,2,... 
be a family of sets A{M) C C^^ of complex unit vectors expressed relative to the standard 
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basis {|0), |1), \M — 1)}. For clarity of presentation, we usually omit the "family" notation 
{■}m=i,2,...-) Let e > be the error tolerance parameter. The pair {A,e) specifies an instance 
of the general squashing problem, which is to compute, for every |?/;) G A, a state p such that 



(57) 



given copies of I?/'), where D is the trace distance [8], 



ao,^:=(|0) + |V'))((0| + (^|), 



(58) 



and |0) is some known reference state (which, in general, need not be orthogonal to all G A). 
Note that the classical description of A also specifies a global phase for each possible state vector 
IV'), so the ideal target state |0) + I?/;) is well defined. The set A should be nontrivial, meaning 
that it should contain elements that are, pairwise, not orthogonal (as would be the case when 
A = Ag); this is analogous to the problem of quantum cloning, where it is trivial to clone states 
that are promised to come from a prescribed orthogonal set. 



Define t{A, e) to be the smallest t for which there exists a quantum operation Q such that, 
for all lip) e A, 



A quantum operation Q that, for some t, satisfies Eq. (1591) for all {ip) G A is called an {A, e)- 
squasher, because it "squashes" part of the generalized Bloch sphere towards its |0)-pole. We 
view the number t{A, e) as measuring the complexity of the squashing problem instance {A, e). 
We assume all in A are reasonably encoded into qubits and thus take the input size of the 
problem to be log(M). 

Our cryptographic motivation leads us to look for sets A such that t{A, e) is necessarily large 
(for sufficiently small e). For some instances of the general squashing problem, exponential lower 
bounds on t{A, e) might be relatively easily obtainable, because it might be the case that, for 
subexponential values oft, the states (Tq,^ and ctq,,/, are further in trace distance (or, equivalently, 
have lower fidelity) than and The following example of this shows that the general 

squashing problem subsumes the black-box search problem (this fact has already been pointed 
out in Ref. [17], though the author of that paper assumes that squashing is an easy task). 

Example 2. Denote by F the quantum Fourier transform on C*''^, so that 



(59) 



M-l 




(60) 



i=0 



23 



For every j = 0, 1, . . . , M — 1, define the state via 



Let A2 := {-^'''Ij*) : j = 0, 1, . . . , M-1} (note tliat A2 does noi have the property that {0\ip) = 
for all G A2). Noting that + F\0) oc we can solve the black-box search problem 
with a good (yl2, e)-squasher, where e is a constant (i.e., if the solution to the search problem 
is j, then the black box can be used t times to make t copies of Thus, the well-known 

y/M search lower bound applies to t(A2,e). But this is overkill: the lower bound we get from 
the fact that quantum operations cannot increase trace distance is larger when e < 1/2, as we 
now show. If Q is an {A2, e)-squasher, then we have (for i ^ j) 

1-26 < D(Q((Ft|z*)(z*|F)«*),Q((Ft|j*)(j*|F)«*)) (62) 
< Dii\e){e\r\{\f){f\r) (63) 



< VI - |2* (64) 

= - (1 - 4/M)2*, (65) 

so that t > log(4e(l -e))/21og(l -4/M) and thus, for example, ^(^2, |, 1) G fi(M). The 
first line follows from several applications of the triangle inequality and the fact that the trace 
distance between the squasher's ideal outputs is 1. In subsequent lines, we have used the 
well-known relationship between trace distance and fidelity (see Ref. [8]) and the power series 
expansion log(l — x) = —x — x^/2 — x^/3 — ■ ■ ■ for x G [—1, 1] and the fact that, for x < 1/2, 

X + x^/2 + x^S + ■■■< x{l + X + x^ + ■■■) = x{l - x)-^ < 2x. (66) 

The cryptographic framework uses sets of type As, that have, among others, the two prop- 
erties defined in Eq. f H^ and Eq. fISUl) . The latter property, that {0\ip) = for all \ip) in 
As, is particular to our version of the framework. The former property of pairwise (5-almost- 
orthogonality is a reasonable condition to impose on quantum-public-key cryptography in gen- 
eral, in order to avoid a situation where two different private keys correspond to practically 
indistinguishable physical scenarios. For example, suppose Alice-x has private key x and Alice-?/ 
has private key y, and x ^ y; we would not want Alice-?/ to be able to convince Bob that she is 
Alice-x with significant probability. This property also rules out trivial lower-bound arguments 
based on distinguishability, like in Example 121 because an (A^, 0)-squasher does not increase 
pairwise distinguishability, by which we mean that, for all distinct \ip) and |0) in As, 

Diao,^,ao,^) < Dm{i;\r,m{<P\r) (67) 
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for some t G 0(polylog(M)); in the particular case of As, the inequahty (p7|) actually holds for a 
constant t (dependent on 6). The set A2 in Example [2] has neither of the two properties discussed 
in this paragraph, and we cannot see how to harness the provable difficulty of squashing A2 for 
potential cryptographic application. 

We now state the No-Squashing Conjecture more precisely. Call As efficient if and only if 
there is a succinct description of As (so that its classical description may be easily published) 
and each state in As is efficiently computable given its classical description (i.e., although we do 
not bound Eve's computational power, we prefer that Alice and Bob are bounded by polynomial 
time). Since the trace distance between cjo,^ and the trivially-preparable mixture |0)(0| + 
is 1/2, we take e < 1/2 in the conjecture. 

Conjecture 10 (No-Squashing). There exists an efficient As such that 

t{As,e) G a;((log(M))'^) for all constants k > and any nonnegative constant e < 1/2. 

Our choice of the superpolynomial bound in the conjecture corresponds to the usual meaning 
of "large" or "inefficient" in complexity theory. We do not claim that proving such a bound has 
immediate cryptographic application: recall that no result about the difficulty of squashing is 
sufficient for establishing the honest- verifier security of the protocol of Section 14.21 

We also leave as an open problem to find any set A such that the {A, 0)-squasher does not 
increase pairwise distinguishability and is not completely positive (or prove no such A exists). 
Note that the one-qubit universal-NOT gate [IB], which maps 

a|0) + /3|1) /3*|0) -a*|l) (68) 

for any qubit state a|0) + /3|1), does not increase pairwise distinguishability and is known to 
be not completely positive. 
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